DNR names, SSN on lost data drive

Official says employees being informed, protected

May 04, 2007|By Candus Thomson | Candus Thomson,Sun Reporter

A miniature data storage device containing the names and Social Security numbers of 1,433 current and retired Department of Natural Resources employees is missing but does not appear to have been used to exploit personal information, according to the superintendent of the agency's police force.

Col. George F. Johnson IV said the DNR is taking steps to make sure those employees are protected and to avoid another security breach. As a precaution, DNR has sent out a memo instructing its officers and rangers on how they can sign up for a free credit check and monitoring of their credit cards for 90 days.

Their personal information was downloaded to a "thumb drive" by an employee of the Information Technology unit at the Department of Natural Resources, who was going to catch up on his work at home on April 18.

The employee, who uses mass transit to get to and from DNR's Annapolis headquarters, spent a day searching for the device before reporting it missing on April 20, Johnson said.

Police investigators believe the thumb drive is "simply a lost memory stick," Johnson said. "It's unfortunate that these occurrences are becoming more commonplace, but it is a sign of the times," he said.

Last year, a congressional report said workers at 19 federal agencies have misplaced or lost personal information affecting thousands.

In February, officials at Johns Hopkins had to tell thousands of university employees and hospital patients that computer tapes with personal information, including Social Security numbers, direct-deposit bank account information and medical records, were missing.

Johnson said when he learned the scope of the problem, he looked into getting a group rate for credit monitoring, which would have cost about $25,000.

"The DNR secretary [John R. Griffin] was prepared to do that, but the individual can do it for free," Johnson said. "As an individual, I would feel more comfortable controlling my own monitoring."

Ed Eicher, president of the State Law Enforcement Officers Labor Alliance, the union that represents Natural Resources officers, said he was pleased with the steps being taken.

"I think 90 days is sufficient to determine whether any of the officers becomes a victim of identity theft. If the information hasn't been used by then, it's not likely to be," he said.

But there are cases of retired officers who have moved from Maryland and not left a forwarding address.

"All of the DNR employees whose information was lost have NOT been contacted," retired officer Don Tracey e-mailed the Sun. "I live in Maine and have an answering machine and nothing has been on that, nor have I received any mail regarding the lost info."

Eicher said he is working with the officers' alumni association to track down hundreds of retirees such as Tracey.

DNR Deputy Secretary Eric Schwaab said the incident will lead to "a state-of-the-art IT [information technology] policy. This isn't just about thumb drives. This is about who carries a laptop out of the building, what data is out there and who has access to it."

Schwaab, a former officer, said he could not talk about whether the employee was disciplined, citing state personnel rules.

"Obviously, you would rather not have an employee walking around with that kind of information in his pocket," said Schwaab. "But this was a guy working at home at night and on weekends to get his job done."